To facilitate easier user access, while at the same time protecting the security of data, Google has developed context-aware access. This provides granular controls for Google Workspace apps, based on a user’s identity and context of the request (such as device security status or IP address). Based on the BeyondCorp security model developed by Google, users can access web applications and infrastructure resources from virtually any device, anywhere, without utilising remote-access VPN gateways while administrators can establish controls over the device. You can also still set access policies, such as 2-Step Verification, for all members of an organizational unit or group.
Download the Endpoint Verification extension from the Chrome Web Store
Alternatively, administrators can force-install by:
Click on devices > Chrome > Apps & Extensions > Users & Browsers
Click on the yellow “Plus” symbol on the bottom right and select chrome web store
Search for callobklhcbilhphinckomhgkigmfocg
Click on select
Click on “Endpoint Verification” to configure it
Tick the boxes for “allow access to keys” and “allow enterprise challenge” and save the changes
Click on the drop-down arrow beside the word “allow install” and select the option to “force install”
Save changes
Admins can create Access levels that define the context within which users can access apps
Access levels combine conditions and values that define a user or device context.
Click on security > Context aware access > create new access level
Define name, description and conditions for access level
Click “create access level”
After creating Access Levels, admins can assign apps to access levels to restrict users’ access only to certain permitted apps
Click on security > Context aware access > assign access levels
Tick the boxes for apps you want to assign
Click on “assign” > tick the access level you want to assign it to
Save changes
Admins can customize the messages that users see when an app is restricted; providing more information on next steps should the user vehemently require access
Click on security > Context aware access > user message
Type your new desired user message
You can choose to preview the message which shows you what users will see when they access an app that is being blocked by CAA policies
Save changes
Admins can enable CAA for Third party SAML apps that use Google as the identity provider. A third party identity provider (IdP) can also be used (third party IdP federates to Google Cloud Identity and Google Cloud Identity federates to SAML apps)
However, admins can’t enforce Context-Aware policies on:
Mobile apps, such as the Gmail app or the Apple Mail app
Desktop apps, such as Drive for desktop
Same steps as assigning apps to access levels, only admins must make sure that they have a sample app that fulfils the conditions above.